Fraud detection electronic control unit, electronic control unit, and non-transitory recording medium in which computer program is described

ABSTRACT

A fraud detection electronic control unit is connected to an electronic control unit through an in-vehicle network system. The fraud detection electronic control unit includes a storage and a determination unit. The storage stores a first regulation for determining whether the frame transmitted from the electronic control unit is fraudulent. The determination unit determines whether the frame transmitted from the electronic control unit is fraudulent in pursuant to the first regulation. When a predetermined condition is satisfied, the storage acquires a second regulation retained by the electronic control unit and updates the stored first regulation.

TECHNICAL FIELD

The present invention relates to a data processing technique,particularly to a fraud detection electronic control unit, an electroniccontrol unit, an in-vehicle network system, a fraud detection method,and a computer program.

BACKGROUND ART

Recently, many electronic control units (hereinafter, referred to asECUs) are disposed in a vehicle. A network connecting the ECUs is calledan in-vehicle network system. Many standards exist in the in-vehiclenetwork system, and a CAN (controller area network) can be cited as thewidely spread standard.

A method for monitoring a frame flowing on the in-vehicle network systemusing a fraud detection ECU connected to the in-vehicle network systemhas been proposed in order to detect the connection of the fraudulentECU on the in-vehicle network system (for example, see PTL 1).

CITATION LIST Patent Literature

PTL 1: International Publication No. 2015/159520

SUMMARY OF THE INVENTION

The present invention provides a technique of easily improving thesecurity of the in-vehicle network system.

According to an aspect of the present invention, a fraud detectionelectronic control unit is connected to an electronic control unitthrough an in-vehicle network system. The fraud detection electroniccontrol unit includes a storage and a determination unit. The storagestores a first regulation in order to determine whether a frametransmitted from an electronic control unit is fraudulent. Thedetermination unit determines whether the frame transmitted from theelectronic control unit is fraudulent in pursuant to the firstregulation. When a predetermined condition is satisfied, the storageacquires a second regulation retained by the electronic control unit andupdates the stored first regulation.

According to another aspect of the present invention, an electroniccontrol unit is connected to a fraud detection electronic control unitthrough an in-vehicle network system. The electronic control unitincludes a storage and a transmission and reception unit. The storagestores the regulation for determining whether a frame transmitted ontothe in-vehicle network system is fraudulent, the frame having the sameframe ID (identification) as a frame transmitted from the electroniccontrol unit. The transmission and reception unit receives a regulationtransmission request from the fraud detection electronic control unit.The transmission and reception unit transmits the regulation stored inthe storage to the fraud detection electronic control unit in responseto the regulation transmission request, the regulation being used inorder that the fraud detection electronic control unit determineswhether the frame of the same frame ID as the frame transmitted from theelectronic control unit is fraudulent.

According to still another aspect of the present invention, thein-vehicle network system includes an electronic control unit and afraud detection electronic control unit connected to the electroniccontrol unit through an in-vehicle network system. The fraud detectionelectronic control unit includes a first storage, a determination unit,and a first transmission and reception unit. The first storage stores afirst regulation in order to determine whether a frame transmitted fromthe electronic control unit is fraudulent. The determination unitdetermines whether the frame transmitted from the electronic controlunit is fraudulent in pursuant to the first regulation. When apredetermined condition is satisfied, the first transmission andreception unit transmits a second regulation transmission request to theelectronic control unit. When the predetermined condition is satisfied,the first storage acquires a second regulation retained by theelectronic control unit and updates the stored first regulation. Theelectronic control unit includes a second storage and a secondtransmission and reception unit. The second storage stores the secondregulation for determining whether a frame transmitted onto thein-vehicle network system is fraudulent, the frame having the same frameID as a frame transmitted from the electronic control unit. The secondtransmission and reception unit receives the second regulationtransmission request, and transmits the second regulation previouslystored in the second storage to the fraud detection electronic controlunit in response to the second regulation transmission request.

According to still another aspect of the present invention, a frauddetection method is performed by a fraud detection electronic controlunit connected to an electronic control unit through an in-vehiclenetwork system, the fraud detection electronic control unit storing, ina storage, a regulation for determining whether a frame transmitted fromthe electronic control unit is fraudulent. The fraud detection methodincludes determining whether a frame transmitted from the electroniccontrol unit is fraudulent in pursuant to a first regulation. The frauddetection method includes acquiring a second regulation retained by theelectronic control unit and updating the first regulation stored in thestorage when a predetermined condition is satisfied.

According to still another aspect of the present invention, a frauddetection method is performed by an electronic control unit connected toa fraud detection electronic control unit through an in-vehicle networksystem, the electronic control unit storing, in a storage, a regulationfor determining whether a frame of the same frame ID as a frametransmitted from the electronic control unit is fraudulent. The frauddetection method includes receiving a regulation transmission requestfrom the fraud detection electronic control unit. The fraud detectionmethod includes transmitting the regulation stored in the storage to thefraud detection electronic control unit in response to the regulationtransmission request, the regulation being used in order that the frauddetection electronic control unit determines whether the frametransmitted from the electronic control unit is fraudulent.

A combination of the above components and other components, a computerprogram, a recording medium in which the computer program is recorded,and a vehicle including the device are still effective as other aspectsof the present invention.

The present invention can easily improve the security of the in-vehiclenetwork system.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a view illustrating a configuration of an in-vehicle networksystem according to an exemplary embodiment.

FIG. 2 is a block diagram illustrating a functional configuration of anECU in FIG. 1.

FIG. 3 is a view illustrating a configuration of a fraud determinationrule.

FIG. 4 is a block diagram illustrating a functional configuration of asecurity ECU in FIG. 1.

FIG. 5 is a flowchart illustrating operation of the ECU in FIG. 1.

FIG. 6 is a flowchart illustrating operation of the security ECU in FIG.1.

FIG. 7 is a flowchart illustrating details of fraud determinationprocessing in S50 of FIG. 6.

FIG. 8 is a flowchart illustrating operation of update operation of afraud determination rule.

DESCRIPTION OF EMBODIMENT

A problem found in the conventional technique will briefly be describedprior to description of an exemplary embodiment of the presentinvention. In the method of PTL 1, the fraud detection ECU determineswhether the frame transmitted from another ECU is fraudulent based on apreviously defined fraud determination rule. For this reason, it isnecessary to previously store the fraud determination rule correspondingto a type of the ECU connected to an in-vehicle network system in thefraud detection ECU. However, individual adjustment of the frauddetermination rule stored in the fraud detection ECU is difficult toperform according to the type of the ECU connected to the in-vehiclenetwork system, or due to repair replacement of the ECU or update offirmware, and there is room for improvement.

An outline of the exemplary embodiment will be described prior to thedescription of a configuration of the exemplary embodiment. Sometimesthe fraud detection ECU determines whether the frame transmitted fromanother ECU (in other words, an ECU that is an inspection target to beinspected, also referred to as an inspection target ECU) is fraudulentin order to detect that the fraudulent ECU is connected on thein-vehicle network system. It is necessary to individually adjust thefraud determination rule stored in the fraud detection ECU according tothe type of the inspection target ECU connected to the in-vehiclenetwork system. Conventionally, sometimes management of the frauddetection ECU and the fraud determination rule becomes troublesome. Inthe case that the fraud determination rule changes due to the repairreplacement of the inspection target ECU or the update of firmware, itis also necessary to correctly change the fraud determination ruleretained by the fraud detection ECU. However, conventionally themanagement of the update is not easy to maintain.

In an in-vehicle network system of the exemplary embodiment, theinspection target ECU retains the fraud determination rule in order toinspect the frame having the same frame ID as the frame transmitted byitself, and the inspection target ECU presents the fraud determinationrule to the fraud detection ECU. The fraud detection ECU determineswhether the frame transmitted from each inspection target ECU isfraudulent based on the fraud determination rule presented by theinspection target ECU.

FIG. 1 illustrates a configuration of the in-vehicle network system ofthe exemplary embodiment. Vehicle-mounted network system 12 is acommunication system constructed in vehicle 10, and includes ECU 14 a,ECU 14 b (hereinafter, generally referred to as ECU 14) and security ECU20. ECU 14 and security ECU 20 are connected through CAN 22, andtransmit and receive the frame in pursuant to a CAN protocol.

ECU 14 a and ECU 14 b correspond to the inspection target ECU. ECU 14 ais connected to sensor 16 such as a speed sensor and a window open orclosed sensor, and transmits information, such as the frame indicating avehicle speed and a window open or closed state, which is detected bysensor 16, to CAN 22. ECU 14 b is connected to actuator 18 (such as abrake actuator), and controls actuator 18 based on the frame receivedfrom CAN 22. ECU 14 b transmits the frame indicating a state of actuator18 to security ECU 20 through CAN 22.

Security ECU 20 corresponds to the fraud detection ECU. Security ECU 20determines whether the inspection target ECU that transmits thefraudulent frame is connected to CAN 22 based on whether a plurality offrames transmitted from a plurality of ECUs 14 are fraudulent.

FIG. 2 is a block diagram illustrating a functional configuration of ECU14 in FIG. 1. ECU 14 includes reception buffer 30, rule-retaining unit32, frame transmission and reception unit 34, frame interpreter 36, datatransmission and reception unit 38, and frame generator 40. Each blockillustrated in the block diagrams of the description can be constructedwith an element or a mechanical device including a central processingunit (CPU) and a memory of a computer in a hardware manner or a computerprogram in a software manner. In this case, a functional blockconstructed with cooperation of the hardware and the software isillustrated in the block diagrams. Those skilled in the art understandthat the functional block is constructed with a combination of thehardware and the software in many ways.

For example, a computer program including modules corresponding to frametransmission and reception unit 34, frame interpreter 36, datatransmission and reception unit 38, and frame generator 40 may be storedin a read-only memory (ROM) of ECU 14. The CPU of ECU 14 may exert afunction of each block by appropriately reading the computer program ona random-access memory (RAM) of ECU 14. Reception buffer 30 andrule-retaining unit 32 may be constructed with the ROM or RAM of ECU 14.Alternatively, the functional block may be constructed with alarge-scale integration (LSI) that is a physically dedicated circuit.

Reception buffer 30 is a storage area in which frame data received fromCAN 22 is temporarily stored. Rule retaining unit 32 is a storage areain which a fraud determination rule is stored. The fraud determinationrule retained by rule-retaining unit 32 is data in which a reference ora regulation is defined in order to determine whether the frame havingthe same frame ID as the frame (such as a remote frame and a data frameof the CAN) transmitted from own ECU 14 (that is, own device) isfraudulent.

FIG. 3 illustrates a configuration of the fraud determination rule.Fraud determination rule 50 includes the frame ID, individualdetermination rule 52, external reference determination rule 54, an ECUmodel number, a version number, and a falsification detecting checkvalue. An ID value provided to the target frame determined by frauddetermination rule 50 is set to the frame ID. In the exemplaryembodiment, the unique frame ID is defined in each type of the frame andeach ECU 14 of a frame transmission source,

An identifier of ECU 14 that is an original source of frauddetermination rule 50 is set to the ECU model number. A version numberof fraud determination rule 50 is set to the version number. In theexemplary embodiment, both a major version number and a minor versionnumber are set to the version number. Message authentication code (MAC)data that is generated based on a predetermined common key and data offraud determination rule 50 may be set to the falsification detectingcheck value, or a fraud determination rule in which fraud determinationrule 50 subjected to general digital signature may be set to thefalsification detecting check value.

A rule relating to the frame transmitted by ECU 14 (for example, ECU 14a) that is the original source of fraud determination rule 50 is commonto individual determination rule 52 and external reference determinationrule 54. Individual determination rule 52 and external referencedetermination rule 54 are different from each other in that a frauddetermination condition of individual determination rule 52 relates onlyto the frame transmitted by ECU 14 (for example, ECU 14 a). On the otherhand, the fraud determination condition of external referencedetermination rule 54 relates to not only the frame transmitted by ECU14 (for example, ECU 14 a) but also the frame transmitted by another ECU(for example, ECU 14 b).

Individual determination rule 52 includes a frame data length, atransmission period, and a transmission frequency. The frame data lengthdesignates a value or a range that can be taken as a data length of theframe. Fraud determination unit 70 (see FIG. 4) of security ECU 20 (tobe described later) determines that the frame having the data lengththat deviates from the designated value or range is fraudulent. Forexample, an upper limit and a lower limit may be designated as a settingvalue of the frame data length.

A period in which the frame having the frame ID appears on CAN 22 isdesignated to the transmission period. Fraud determination unit 70 ofsecurity ECU 20 stores a previous appearance time (a reception time fromCAN 22) of the frame having the frame ID, and determines that the frameis fraudulent in the case that a difference from a current appearancetime deviates from the transmission period. For example, an upper limitand a lower limit of the period including a margin may be designated asa setting value of the transmission period.

A frequency at which the frame having the frame ID appears on CAN 22 isdesignated to the transmission frequency. Fraud determination unit 70 ofsecurity ECU 20 counts the number of appearance times (the number ofreception times from CAN 22) until a predetermined unit time elapsesfrom a certain time, and determined that the frame is fraudulent in thecase that a count value deviates from the designated range of thetransmission frequency. For example, an upper limit and a lower limit ofthe number of appearance times may be designated as a setting value ofthe transmission frequency. In the fraud determination using individualdetermination rule 52, whether the value of each of the frame datalength, the transmission period, and the transmission frequency deviatesfrom the designated range is determined, and the fraudulent frame isdetermined when at least one of the frame data length, the transmissionperiod, and the transmission frequency deviates from the designatedrange. Individual determination rule 52 is not limited to the ruledescribed above, but may include another rule relating to the frametransmitted from ECU 14.

External reference determination rule 54 includes reference frameinformation, a reference determination rule element, a referencedetermination rule arithmetic expression, and determination rulereference data information. Information about data of another frame,which is referred to in the rule, is set to the reference frameinformation. The reference frame information includes a determinationrule reference data identifier as an internal parameter, and a pluralityof determination rule reference data identifiers can be set. Anidentifier (such as a name or ID of a data item) of determination rulereference data used in the reference determination rule element isdesignated to the determination rule reference data identifier.

A determination regulation (in other words, fraud determinationreference) to the data of the item designated by the reference frameinformation is set to the reference determination rule element. Thereference determination rule element includes a set of the referenceframe information, the determination condition, and the determinationreference value as an internal parameter, and a plurality of sets can beset. The identifier (for example, an index value) of the specificreference frame information that is referred to in a certain ruleelement is designated to the reference frame information. A type of thedetermination condition, which is performed using the determination rulereference data and determination reference value that are designated bythe specific reference frame information, is designated to thedetermination condition. The type of the determination conditionincludes “equal”, “larger”, and “smaller”. A reference value used in thedetermination is designated to the determination reference value. Thedetermination reference value may be the identifier of the secondreference frame information in addition to the designation of anumerical value. In this case, the determination rule reference dataretained by the second reference frame information is used as thedetermination reference value. That is, the determination rule referencedata and the determination reference value that are retained by thereference frame information are compared to each other to determinedwhether the determination condition is satisfied, thereby obtaining atrue or false value of the reference determination rule element.

An arithmetic expression is set to the reference determination rulearithmetic expression in order to obtain a determination result. Thereference determination rule arithmetic expression includes a set of anoperator and the reference determination rule element as the internalparameter, and a plurality of sets can be set. An operator coupling thereference determination rule element is designated to the operator. Thereference determination rule element that is a coupling target isdesignated to the reference determination rule element. That is, in thereference determination rule arithmetic expression, the individual trueor false value retained by the individual reference determination ruleelement is coupled by the operator, and the arithmetic expression isdesignated in order to obtain the final determination result. Thearithmetic expression may be described and stored by inverted Polishnotation.

Information about the determination rule reference data that can bedesignated by another frame is set to the determination rule referencedata information . The determination rule reference data informationincludes a set of the determination rule reference data identifier and adetermination rule reference data position as the internal parameter,and a plurality of sets can be set. A value, which is the identifier(such as a data item name and an ID) of the frame data that can bereferred to by another frame and is unique in in-vehicle network system12, is designated to the determination rule reference data identifier

A position of the data identified by the determination rule referencedata identifier is designated to the determination rule reference dataposition. In other words, the position that is referred to by anotherframe in a data block included in the frame (the frame specified by theframe ID) is designated to the determination rule reference dataposition by a byte offset and a bit position. That is, the determinationrule reference data information defines the position of the data blockin the that can be referred to by another frame and the identifier ofthe data block, and is information that can be designated by thereference frame information about another frame. External referencedetermination rule 54 is not limited to the rule described above, butmay include another rule relating to the frame transmitted from anotherECU.

Referring to FIG. 2, frame transmission and reception unit 34 transmitsand receives the frame to and from CAN 22 in pursuant to the CANprotocol. Frame transmission and reception unit 34 receives the data ofthe frame from CAN 22 bit by bit, and transmits the received data toframe interpreter 36. Frame transmission and reception unit 34 transmitsthe frame output from frame generator 40 to CAN 22.

Frame interpreter 36 acquires the data of the frame from frametransmission and reception unit 34 bit by bit, and interprets the datain pursuant to the CAN protocol. When determining that the acquired datais not pursuant to the CAN protocol, frame interpreter 36 notifies framegenerator 40 of an instruction to transmit an error frame even beforeframe interpreter 36 receives the data for one frame. When the acquireddata is pursuant to the CAN protocol, frame interpreter 36 stores theacquired data in reception buffer 30.

In the case that the frame ID is a predetermined value that is aprocessing target while the reception of one frame is completed, frameinterpreter 36 performs processing on the different frame in each typeof the ECU. In the processing of the frame, frame interpreter 36transmits the data to be transmitted to sensor 16 or actuator 18 frameto data transmission and reception unit 38 as needed. Frame interpreter36 clears reception buffer 30 when the processing of one frame iscompleted.

Data transmission and reception unit 38 transmits the data received fromframe interpreter 36 to sensor 16 or actuator 18 that is connected toECU 14. Data transmission and reception unit 38 transmits the datareceived from sensor 16 or actuator 18 to frame generator 40.

Frame generator 40 receives the data from data transmission andreception unit 38, and generates the frame in pursuant to the CANprotocol. For example, frame generator 40 generates the frame in whichthe frame ID is set according to the type of the data received from datatransmission and reception unit 38, the frame including at least part ofthe data received from data transmission and reception unit 38. Framegenerator 40 transmits the generated frame to frame transmission andreception unit 34. In the case that frame generator 40 receives theinstruction to transmit the error frame from frame interpreter 36, framegenerator 40 generates the error frame, and transmits the frame error toframe transmission and reception unit 34.

A characteristic configuration of ECU 14 of the exemplary embodimentwill be described. Frame transmission and reception unit 34 and frameinterpreter 36 cooperate with each other to function as a reception unitthat receives a request data requesting the transmission of frauddetermination rule 50 from security ECU 20. Specifically, frameinterpreter 36 transmits an instruction to transmit main data of frauddetermination rule 50 to frame generator 40 in the case that the ID ofthe frame received from CAN 22 through frame transmission and receptionunit 34 is a first predetermined value requesting the main data of frauddetermination rule 50. Frame interpreter 36 transmits an instruction totransmit version information about fraud determination rule 50 to framegenerator 40 in the case that the ID of the received frame is a secondpredetermined value requesting the version information about frauddetermination rule 50.

Frame generator 40 and frame transmission and reception unit 34cooperate with each other to function as a transmission unit thattransmits fraud determination rule 50 retained by rule-retaining unit 32to security ECU 20 in response to the request data received by thereception unit. Specifically, frame generator 40 generates the frameincluding the whole data of fraud determination rule 50 retained byrule-retaining unit 32 in the case that frame generator 40 receives theinstruction to transmit the main data of fraud determination rule 50from frame interpreter 36. Frame transmission and reception unit 34transmits the frame including the whole data of fraud determination rule50 to CAN 22.

Frame generator 40 generates the frame including only the versioninformation about fraud determination rule 50 retained by rule-retainingunit 32 in the case that frame generator 40 receives the instruction totransmit the version information about fraud determination rule 50 fromframe interpreter 36. Frame transmission and reception unit 34 transmitsthe frame including the version information about fraud determinationrule 50 to CAN 22.

FIG. 4 is a block diagram illustrating a functional configuration ofsecurity ECU 20 in FIG. 1. Security ECU 20 includes reception buffer 60,rule-retaining unit 62, reference data retaining unit 64, frametransmission and reception unit 66, frame interpreter 68, frauddetermination unit 70, and frame generator 72. Reception buffer 60,frame transmission and reception unit 66, frame interpreter 68, andframe generator 72 of security ECU 20 correspond to reception buffer 30,frame transmission and reception unit 34, frame interpreter 36, andframe generator 40 of ECU 14 in FIG. 2. In the functional blocks, theconfiguration of the already described functional block will be omitted.

Rule retaining unit 62 includes a storage area in which the frauddetermination rule (FIG. 3) determining whether the frame transmittedfrom external ECU 14 is fraudulent is stored. Rule retaining unit 62retains the fraud determination rule provided from each of a pluralityof ECUs 14 in the in-vehicle network system 12 while correlating thefraud determination rule with each ECU 14. In other words,rule-retaining unit 62 retains the fraud determination rule for each ECUin order to determine whether the frame having the same frame ID as theframe transmitted from each ECU.

Specifically, rule-retaining unit 62 receives an updating frauddetermination rule transmitted from frame interpreter 68, and newlystores the updating fraud determination rule in a predetermined storagearea while correlating the updating fraud determination rule with an ECUmodel number included in the updating fraud determination rule. Ruleretaining unit 62 updates the existing fraud determination rule usingthe updating fraud determination rule in the case that rule-retainingunit 62 already stores the existing fraud determination rule whilecorrelating the existing fraud determination rule with the ECU modelnumber included in the updating fraud determination rule.

Rule retaining unit 62 further performs version value checkingprocessing and falsification checking processing during new storage orupdate of the fraud determination rule. Rule retaining unit 62 transmitsthe fraud determination rule corresponding to the frame ID received fromfraud determination unit 70 to fraud determination unit 70.

Processing of managing the version of the fraud determination rule inthe exemplary embodiment will be described. As partially describedabove, rule-retaining unit 62 retains the ECU model number, the frauddetermination rule, the major version number, and the minor versionnumber of each of the plurality of ECUs 14 in a form that prevents thefalsification. Each ECU 14 transmits the fraud determination rule towhich the ECU model number, the major version number, and the minorversion number are provided to security ECU 20. Rule retaining unit 62compares the major version number acquired from ECU 14 and the majorversion previously retained by rule-retaining unit 62 with respect tothe fraud determination rule corresponding to the ECU model numberacquired from ECU 14.

In the case that the major version numbers of the fraud determinationrules are not matched with each other, rule-retaining unit 62 newlystores the fraud determination rule acquired from ECU 14 inrule-retaining unit 62. Alternatively, rule-retaining unit 62 updates,namely, replaces the existing fraud determination rule of rule-retainingunit 62 using the fraud determination rule acquired from ECU 14. In thecase that the major version numbers of the fraud determination rules arenot matched with each other, rule-retaining unit 62 updates the frauddetermination rule of rule-retaining unit 62 irrespective of a magnitudecorrelation of the major version numbers of the fraud determinationrules and a difference between the minor version numbers of the frauddetermination rules. Even if the major version number acquired from ECU14 is older than the major version number previously retained byrule-retaining unit 62, rule-retaining unit 62 updates the frauddetermination rule of rule-retaining unit 62. For example,rule-retaining unit 62 replaces the existing data of rule-retaining unit62, which is correlated with the ECU model number acquired from ECU 14,with the fraud determination rule, the major version number, and theminor version number that are acquired from ECU 14.

The mismatch between the major version number retained by ECU 14 and themajor version number retained by security ECU 20 is generated in thecase that ECU 14 is replaced (for example, the case that ECU 14 isreplaced with old-form ECU 14) and the like. When the major versionsdifferent from each other, there is a possibility that the individualdetermination rule and the external reference determination rule changelargely. For this reason, desirably the fraud determination ruleretained by security ECU 20 is updated according to ECU 14.

In the case that the major version numbers of the fraud determinationrules are matched with each other, rule-retaining unit 62 furthercompares the minor version number acquired from ECU 14 and the minorversion number previously retained by rule-retaining unit 62 withrespect to the fraud determination rule corresponding to the ECU modelnumber acquired from ECU 14. Rule retaining unit 62 updates the existingfraud determination rule of rule-retaining unit 62 using the frauddetermination rule acquired from ECU 14 on a condition that the value ofthe minor version acquired from ECU 14 is newer than the value of theminor version previously retained by rule-retaining unit 62 (forexample, a larger number). This is because there is a low possibilitythat the fraud determination rule changes largely when the major versionnumbers of the fraud determination rules are matched with each other,and the newer minor version number is compatible with addition of anewer function and bug correction.

As a modification, a single type of version number that is not dividedinto the major version number and the minor version number may becorrelated with the fraud determination rule. rule-retaining unit 62 ofsecurity ECU 20 may update the existing fraud determination rule ofrule-retaining unit 62 using the fraud determination rule acquired fromECU 14 in the case that the version number acquired from ECU 14 is newerthan the version number previously retained by rule-retaining unit 62with respect to the fraud determination rule corresponding to the ECUmodel number acquired from ECU 14.

The falsification checking processing in the exemplary embodiment willbe described below. Rule retaining unit 62 of security ECU 20 retains aroot CA (Certificate Authority) certificate in the form that preventsthe falsification. Each ECU 14 retains a signed ECU certificate in whichthe signature can be verified by the root CA certificate and the ownfraud determination rule signed by a secret key corresponding to the ECUcertificate. Each ECU 14 transmits the ECU certificate and the signedfraud determination rule to security ECU 20. Rule retaining unit 62 ofsecurity ECU 20 verifies the ECU certificate using the root CAcertificate, and verifies the fraud determination rule using the ECUcertificate. Rule retaining unit 62 of security ECU 20 updates the frauddetermination rule in the case that both the ECU certificate and thefraud determination rule are successfully verified. A typical digitalsignature algorithm is used in the signature provision and theverification.

Reference data retaining unit 64 retains the data of a second framereferred to in the fraud determination processing performed on a firstframe and the identifier (that is, the determination rule reference dataidentifier) of the second frame while correlating the data of the secondframe and the identifier with each other. In other words, reference dataretaining unit 64 retains determination rule reference data that is dataextracted from the second frame according to determination rulereference data information defined by the fraud determination rulecorresponding to the (frame ID of) second frame.

In the case that frame interpreter 68 completes the reception of oneframe to interpret the received frame as the updating frauddetermination rule based on the ID of the received frame, frameinterpreter 68 transmits the received frame to rule-retaining unit 62.In the case that frame interpreter 68 does not interpret the receivedframe as the updating fraud determination rule, namely, in the case thatframe interpreter 68 interprets the received frame as the frauddetermination target data, frame interpreter 68 transmits the receivedframe to fraud determination unit 70. Frame interpreter 68 clearsreception buffer 60 when the processing of one frame is completed.

Fraud determination unit 70 determines whether the frame transmittedfrom the external ECU 14 is fraudulent in pursuant to the frauddetermination rule retained by rule-retaining unit 62. Specifically,fraud determination unit 70 transmits the frame ID of the frame(hereinafter, also referred to as determination target frame) receivedfrom frame interpreter 68 to rule-retaining unit 62, and acquires thefraud determination rule correlated with the frame ID fromrule-retaining unit 62. Fraud determination unit 70 refers to the frauddetermination rule acquired from rule-retaining unit 62, and determineswhether the determination target frame is fraudulent. When determiningthat the determination target frame is fraudulent, fraud determinationunit 70 notifies frame generator 72 of the instruction to transmit theerror frame.

In the case that frame generator 72 receives the instruction to transmitthe error frame from frame interpreter 68 or fraud determination unit70, frame generator 72 generates the error frame in pursuant to the CANprotocol, and transmits the error frame to frame transmission andreception unit 66. In the case that a predetermined condition issatisfied, rule-retaining unit 62 acquires and stores the frauddetermination rule retained by another ECU 14. The detailed processingof updating the fraud determination rule will be described later withreference to FIG. 8.

Operation of in-vehicle network system 12 having the above configurationwill be described. FIG. 5 is a flowchart illustrating the operation ofECU 14 in FIG. 1. When detecting transmission start of the frame in CAN22 (Y in S10), frame transmission and reception unit 34 of ECU 14receives one-bit data of the frame (S12). When the received frame is notthe error frame (N in S14), and when the reception of the data for oneframe is incomplete (N in S16), frame interpreter 36 adds the receivedone-bit data to reception buffer 30 (S18), and the operation returns toS12.

When completing the data of one frame (Y in S16), and when the frame IDis the predetermined value indicating the frame to be process by the ownECU (Y in S20), frame interpreter 36 performs data processing based onthe received frame (S22). For example, frame interpreter 36 may acquirethe data designated by the received remote frame from sensor 16connected to the own ECU, and transmit the data frame including theacquired data to CAN 22. Frame interpreter 36 may transmit the datadesignated by the received remote frame to actuator 18, and transmit thedata frame including a control result of actuator 18 to CAN 22. As oneaspect of the frame processing in S22, frame interpreter 36 and framegenerator 40 perform processing of providing the fraud determinationrule previously stored in the own ECU to security ECU 20 in the casethat the received frame includes the request to transmit the frauddetermination rule. The detailed processing of providing the frauddetermination rule will be described later with reference to FIG. 8.

When the frame ID of the received frame is not the predetermined value(N in S20), frame interpreter 36 skips the processing in S22, anddisposes, for example, the received frame. When the received frame isthe error frame (Y in S14), frame interpreter 36 performs predeterminederror processing (S28), and disposes, for example, the received framedata. Frame interpreter 36 waits for bus idle of CAN 22 (S24), andclears the received data stored in reception buffer 30 (S26). Theflowchart in FIG. 5 is ended when a predetermined end condition such aspower off is satisfied (Y in S30), and the operation returns to S10 whenthe end condition is not satisfied (N in S30). When the transmissionstart of the frame is undetected (N in S10), the operation skips S12 toS28 to go to the determination in S30

FIG. 6 is a flowchart illustrating the operation of security ECU 20 inFIG. 1. When detecting the transmission start of the frame in CAN 22 (Yin S40), frame transmission and reception unit 66 of security ECU 20receives one-bit data of the frame (S42). When the received frame is notthe error frame (N in S44), and when the frame ID is unreceived (N inS46), frame interpreter 68 adds the received one-bit data to receptionbuffer 60 (S48), and the operation returns to S42. When the frame ID isalready received (Y in S46), fraud determination unit 70 performs thefraud determination processing (to be described later) (S50). When thefraud is not determined in the fraud determination processing, namely,when the received data is determined to be normal (N in S52), frameinterpreter 68 determines whether the data of one frame is received.

When the reception of the data of one frame is uncompleted (N in S54),frame interpreter 68 adds the received one-bit data to reception buffer60 (S48), and the operation returns to S42. When the reception of thedata of one frame is completed (Y in S54), frame interpreter 68 waitsfor the bus idle of CAN 22 (S56), and clears the received data stored inreception buffer 60 (S58). The flowchart in FIG. 6 is ended when apredetermined end condition such as power off is satisfied (Y in S60),and the operation returns to S40 when the end condition is not satisfied(N in S60).

When the received data is determined to be fraudulent in the frauddetermination processing (Y in S52), frame generator 72 generates theerror frame, and frame transmission and reception unit 66 transmits theerror frame to CAN 22 (S62). When determining that the received data isfraudulent, fraud determination unit 70 may record an error in apredetermined log, or issue an instruction to an in-vehicle infotainment(IVI) system or the like to display the error. When the received frameis the error frame (Y in S44), frame interpreter 68 performspredetermined error processing, and disposes, for example, the data ofthe received frame (S64). When the transmission start of the frame isundetected (N in S40), the operation skips the subsequent pieces ofprocessing, and goes to the determination in S60.

In the exemplary embodiment, after the frame ID is received, the frauddetermination processing is performed in each received one bit.Alternatively, the fraud determination processing may be performed ineach plurality of bits constituting a data unit are received. Althoughnot illustrated in FIG. 6, security ECU 20 performs the processing ofupdating fraud determination rule stored in rule-retaining unit 62 incooperation with ECU 14 during starting. The detailed processing ofupdating the fraud determination rule will be described later withreference to FIG. 8.

FIG. 7 is a flowchart illustrating details of the fraud determinationprocessing in S50 of FIG. 6. Fraud determination unit 70 transfers theframe ID of the received frame to rule-retaining unit 62. Rule retainingunit 62 searches the fraud determination rule matched with the frame IDtransferred from fraud determination unit 70 from a retained pluralityof fraud determination rules (S70). When the fraud determination rulematched with the frame ID does not exist (N in S72), fraud determinationunit 70 determines that the received frame is fraudulent (S84). When thefraud determination rule matched with the frame ID exists (Y in S72),fraud determination unit 70 determines whether the received frame isfraudulent in pursuant to the individual determination rule of the frauddetermination rule having the matched frame ID (S74). When the form orcontent of the frame deviates from a normal range defined by theindividual determination rule, for example, when the frame data lengthis out of a permissible range defined by the individual determinationrule (Y in S76), fraud determination unit 70 determines that thereceived frame is fraudulent (S84).

When the form or content of the frame is determined to be normal by theindividual determination rule (N in S76), fraud determination unit 70determines whether the received frame is fraudulent in pursuant to theexternal reference determination rule of the fraud determination rulehaving the matched frame ID (S78). When the form or content of the framedeviates from the normal range defined by the external referencedetermination rule, for example, when the determination conditiondefined by the reference determination rule element is not satisfied (Yin S80), fraud determination unit 70 determines that the received frameis fraudulent (S84). When the form or content of the frame is alsodetermined to be normal by the external reference determination rule (Nin S80), fraud determination unit 70 received frame determines that thereceived frame is normal (S82). Fraud determination unit 70 extracts thedata referred to by the external reference determination rule of anotherframe based on the determination rule reference data information in theexternal reference determination rule. Fraud determination unit 70stores the extracted data in reference data retaining unit 64 whilecorrelating the extracted data with the determination rule referencedata identifier (S86).

FIG. 8 is a flowchart illustrating operation of update operation of thefraud determination rule. In FIG. 8, the operation of ECU 14 and theoperation of security ECU 20 are divided into lanes. The datatransmission and the reception between ECU 14 and security ECU 20 areindicated by a broken line. Although only one ECU 14 is illustrated inFIG. 8, actually security ECU 20 performs the processing of updating theplurality of fraud determination rules corresponding to the plurality ofECUs 14 in a sequential or parallel manner.

During the power on of vehicle 10 or the starting of security ECU 20 inassociation with the power on of vehicle 10, frame generator 72 ofsecurity ECU 20 generates the frame (hereinafter, referred to as versionrequest frame) to which a predetermined ID is set, the frame requestingthe provision of the version number of the fraud determination rule.During the starting is the case that an ignition switch of vehicle 10 isswitched from off to on. Frame transmission and reception unit 66transmits the version request frame to CAN 22 (S90).

When frame interpreter 36 of ECU 14 detects that the version requestframe is received based on the frame ID of the received frame, framegenerator 40 generates the data frame (hereinafter, referred to asversion notification frame) including the version value of the frauddetermination rule retained by rule-retaining unit 32. The versionnotification frame of the exemplary embodiment includes the majorversion number, the minor version number, and the ECU model number.Frame transmission and reception unit 34 transmits the versionnotification frame to CAN 22 (S92).

When the frame ID of the received frame is the value of the versionnotification frame, frame interpreter 68 of security ECU 20 recognizesthe received frame as the version notification frame, and transfers theversion notification frame to the rule-retaining unit 62. Rule retainingunit 62 decides necessity of the update of the fraud determination rulebased on the major version number and the minor version number that areindicated by the version notification frame. Rule retaining unit 62decides that the fraud determination rule should be updated (Y in S94),frame generator 72 of security ECU 20 generates the frame (hereinafter,referred to as certificate request frame) requesting the ECUcertificate. Frame transmission and reception unit 66 transmits thecertificate request frame to CAN 22 (S96).

When frame interpreter 36 of ECU 14 detects that the certificate requestframe is received based on the frame ID of the received frame, framegenerator 40 generates the data frame (hereinafter, referred to ascertificate frame) including the ECU certificate of the own ECU. Frametransmission and reception unit 34 transmits the certificate frame toCAN 22 (S98).

When the frame ID of the received frame is the value of the certificateframe, frame interpreter 68 of security ECU 20 recognizes the receivedframe as the certificate frame, and transfers the certificate frame tothe rule-retaining unit 62. Rule retaining unit 62 verifies correctness(that is, no falsification) of the ECU certificate included in thecertificate frame using the root certificate. When the correctness ofthe ECU certificate is confirmed (Y in S100), frame generator 72generates the frame (hereinafter, referred to as rule request frame)requesting the signed fraud determination rule. Frame transmission andreception unit 66 transmits the rule request frame to CAN 22 (S102).

When frame interpreter 36 of ECU 14 detects that the rule request frameis received based on the frame ID of the received frame, frame generator40 generates the data frame (hereinafter, referred to as rule frame)including the fraud determination rule and the signature that areretained by rule-retaining unit 32. For example, the signature may bedata in which a hash value of the fraud determination rule is encryptedusing the secret key of ECU 14. Frame transmission and reception unit 34transmits the rule frame to CAN 22 (S104).

When the frame ID of the received frame is the value of the rule frame,frame interpreter 36 of security ECU 20 recognizes the received frame asthe rule frame, and transfers the rule frame to the rule-retaining unit62. Rule retaining unit 62 verifies the correctness of the frauddetermination rule included in the rule frame based on the signature.When the correctness of the fraud determination rule is confirmed (Y inS106), rule-retaining unit 62 stores the fraud determination rule, themajor version number, the minor version number, and the like, which areincluded in the rule frame, in a predetermined storage area (S108).

When the update of the rule is determined to be unnecessary based on theversion number (N in S94), when the correctness of the ECU certificateis failed (N in S100), when the correctness of the fraud determinationrule is failed (N in S106), the following pieces of processing areskipped to end the flowchart in FIG. 8. When the negative determinationis made in at least one of steps S100 and S106, rule-retaining unit 62may record the error in the predetermined log, or issue the instructionto display the error to the IVI system or the like.

In in-vehicle network system 12 of the exemplary embodiment, the frauddetermination rule retained by security ECU 20 is easily updated byfollowing the replacement of each of the installed many ECUs 14 or thechange of the firm update. That is, maintenance cost of the frauddetermination rule retained by security ECU 20 can be reduced. The frauddetermination rule retained by security ECU 20 can efficiently beupdated in appropriate timing based on the version value of the frauddetermination rule retained by security ECU 20 and the version value ofthe fraud determination rule retained by ECU 14.

The present invention is described above based on the exemplaryembodiment. It will be understood by those skilled in the art that theseexemplary embodiments are merely examples, another modification in whicheach component and/or each piece of processing of the exemplaryembodiment are variously combined can be made, and the modificationstill fall within the scope of the present invention.

Variations of the update of the fraud determination rule will bedescribed as a first modification. (1) In the case that ECU 14 does notreply even if security ECU 20 requests the version number of the frauddetermination rule from ECU 14, security ECU 20 may repeat the requestfor the version number at T-second intervals until ECU 14 replies. Inthe case that the reply from ECU 14 is not received even if the requestis repeated N times (N is an integer of 2 or more), security ECU 20 mayrecognize ECU 14 of the request destination as an inactive ECU. Theinactive ECU is said to be the ECU that is not normally operated, or thefraudulent ECU.

(2) In the case that ECU 14 does not reply even if security ECU 20requests the ECU certificate or the fraud determination rule from ECU14, security ECU 20 may repeat the request at predetermined S-secondintervals until ECU 14 replies. In the case that the reply from ECU 14is not received even if the request is repeated M times (M is an integerof 2 or more), security ECU 20 may recognize ECU 14 of the requestdestination as the inactive ECU. At this point, desirably T≥S and N≥Mhold. It is hardly considered that the ECU certificate or the frauddetermination rule cannot be acquired even if the version number isacquired. This is because a possibility of the fraudulent ECU is high,and because the fraudulent ECU is early detected.

(3) Security ECU 20 stores the ECU model number of the inactive ECU.Fraud determination unit 70 (or frame interpreter 68) of security ECU 20refers to the fraud determination rule specified by the frame ID of thereceived frame, and determines that the received frame is the frametransmitted from the inactive ECU in the case that the ECU model numberof the fraud determination rule is matched with the model number of theinactive ECU. Fraud determination unit 70 determines that all the framestransmitted from the inactive ECU are fraudulent irrespective of thecorresponding fraud determination rule. This is because there is a highpossibility of the frame transmitted from the fraudulent ECU.

A second modification will be described. In in-vehicle network system 12of the exemplary embodiment, the processing of updating the frauddetermination rule is performed during the starting associated with thepower on or the like. As the second modification, security ECU 20 (forexample, frame generator 72) may perform the update processing on thefraud determination rule of ECU 14 that is the replacement or updatetarget in the case that the replacement of ECU 14 or the update of thefirmware is detected.

A third modification will be described. In the exemplary embodiment, thein-vehicle network system is CAN 22. Alternatively, the in-vehiclenetwork system may be another type of network such as Ethernet(registered trademark).

A fourth modification will be described. ECU 14 of the exemplaryembodiment provides the fraud determination rule and its version tosecurity ECU 20 in response to the request from security ECU 20. As thefourth modification, ECU 14 may spontaneously and actively perform theprocessing of transmitting the fraud determination rule and its version,which are stored in rule-retaining unit 32, to security ECU 20 withoutwaiting for the request from security ECU 20 during the startingassociated with the power on or the like, update of the firmware, or thereplacement.

A fifth modification will be described. Security ECU 20 of the exemplaryembodiment is a dedicated device that detects the fraud of the frametransmitted from ECU 14. Alternatively, as the fifth modification, theframe processing similar to ECU 14 may further be performed. That is,security ECU 20 of the fifth modification may be connected to sensor 16or security ECU 20, and have a function of determining whether thereceived frame is fraudulent and a function (for example, S22 in FIG. 5)of performing the data processing based on the received frame in thecase that the received frame is normal.

The techniques described in the exemplary embodiment and themodifications may be specified by the following items.

[Item 1]

A fraud detection electronic control unit is connected to anotherelectronic control unit through an in-vehicle network system. The frauddetection electronic control unit includes a storage and a determinationunit. The storage stores a first regulation for determining whether theframe transmitted from the electronic control unit is fraudulent. Thedetermination unit determines whether the frame transmitted from theelectronic control unit is fraudulent in pursuant to the firstregulation. When a predetermined condition is satisfied, the storageacquires a second regulation retained by the electronic control unit andupdates the stored first regulation.

In the fraud detection electronic control unit, the security of thein-vehicle network system can efficiently be improved.

[Item 2]

The storage may acquire the value of a second version of the secondregulation retained by the electronic control unit, and update thestored first regulation according to the comparison result between theacquired value of the second version and the value of a first version ofthe first regulation previously stored in the storage.

In this aspect, the first regulation retained by the fraud detectionelectronic control unit can efficiently be updated.

[Item 3]

The value of the first version of the first regulation may include thevalue of a first major version and the value of a first minor version.The value of the second version of the second regulation may include thevalue of a second major version and the value of a second minor version.The storage may update the stored first regulation (1) when the value ofthe acquired second minor version is newer than the value of thepreviously stored first minor version while the value of the acquiredsecond major version is matched with the value of the previously storedfirst major version. The storage may update the stored regulation (2)even if the value of the second major version is older than the value ofthe first major version when the value of the acquired second majorversion is not matched with the value of the previously stored firstsecond major version.

In this aspect, the first regulation retained by the fraud detectionelectronic control unit can efficiently be updated in appropriatetiming.

[Item 4]

The electronic control unit is connected to the fraud detectionelectronic control unit through the in-vehicle network system. Theelectronic control unit includes the storage and the transmission andreception unit. The storage stores the regulation for determiningwhether a frame transmitted onto the in-vehicle network system isfraudulent, the frame having the same frame ID (identification) as aframe transmitted from the electronic control unit. The transmission andreception unit receives the regulation transmission request from thefraud detection electronic control unit. The transmission and receptionunit transmits the regulation stored in the storage to the frauddetection electronic control unit in response to the regulationtransmission request, the regulation being used in order that the frauddetection electronic control unit determines whether the frame of thesame frame ID as the frame transmitted from the electronic control unitis fraudulent.

In the electronic control unit, the security of the in-vehicle networksystem can efficiently be improved.

[Item 5]

The in-vehicle network system includes the electronic control unit andthe fraud detection electronic control unit connected to the electroniccontrol unit through the in-vehicle network system. The fraud detectionelectronic control unit includes a first storage, a determination unit,and a first transmission and reception unit. The first storage stores afirst regulation in order to determine whether a frame transmitted fromthe electronic control unit is fraudulent. The determination unitdetermines whether the frame transmitted from the electronic controlunit is fraudulent in pursuant to the first regulation. When apredetermined condition is satisfied, the first transmission andreception unit transmits a second regulation transmission request to theelectronic control unit. When the predetermined condition is satisfied,the first storage acquires the second regulation retained by theelectronic control unit, and updates the stored first regulation. Theelectronic control unit includes a second storage and a secondtransmission and reception unit. The second storage stores the secondregulation for determining whether a frame transmitted onto thein-vehicle network system is fraudulent, the frame having the same frameID as a frame transmitted from the electronic control unit. The secondtransmission and reception unit receives the second regulationtransmission request, and transmits the second regulation previouslystored in the second storage to the fraud detection electronic controlunit in response to the second regulation transmission request.

In the in-vehicle network system, the security of the in-vehicle networksystem can efficiently be improved.

[Item 6]

A fraud detection method is performed by a fraud detection electroniccontrol unit connected to another electronic control unit through anin-vehicle network system, the fraud detection electronic control unitstoring a regulation for determining whether a frame transmitted fromanother electronic control unit is fraudulent in a storage. The frauddetection method includes determining whether a frame transmitted fromthe electronic control unit is fraudulent in pursuant to a firstregulation. The fraud detection method includes acquiring a secondregulation retained by the electronic control unit and updating thefirst regulation stored in the storage when a predetermined condition issatisfied.

In the fraud detection method, the security of the in-vehicle networksystem can efficiently be improved.

[Item 7]

A fraud detection method is performed by an electronic control unitconnected to a fraud detection electronic control unit through anin-vehicle network system, the electronic control unit storing aregulation for determining whether a frame of the same frame ID as aframe transmitted from the electronic control unit is fraudulent in astorage. The fraud detection method includes receiving a regulationtransmission request from the fraud detection electronic control unit.The fraud detection method includes transmitting the regulation storedin the storage to the fraud detection electronic control unit inresponse to the regulation transmission request, the regulation beingused in order that the fraud detection electronic control unitdetermines whether the frame transmitted from the electronic controlunit is fraudulent.

In the fraud detection method, the security of the in-vehicle networksystem can efficiently be improved.

[Item 8]

A computer program causes a fraud detection electronic control unit tostore a first regulation for determining whether a frame transmittedfrom an electronic control unit is fraudulent in a storage, the frauddetection electronic control unit being connected to the electroniccontrol unit through an in-vehicle network system. The performancecaused by the computer program includes determining whether the frametransmitted from the electronic control unit is fraudulent in pursuantto the first regulation. The performance caused by the computer programincludes acquiring a second regulation retained by the electroniccontrol unit, and updating the first regulation stored in the storagewhen a predetermined condition is satisfied.

In the computer program, the security of the in-vehicle network systemcan efficiently be improved.

[Item 9]

A computer program causes an electronic control unit to store aregulation for determining whether a frame of the same frame ID as aframe transmitted from the electronic control unit is fraudulent in astorage, the electronic control unit being connected to a frauddetection electronic control unit through an in-vehicle network system.The performance caused by the computer program includes receiving aregulation transmission request from the fraud detection electroniccontrol unit. The performance caused by the computer program includestransmitting the regulation stored in the storage to the fraud detectionelectronic control unit in response to the regulation transmissionrequest, the regulating being used in order that the fraud detectionelectronic control unit determines whether the frame transmitted fromthe electronic control unit is fraudulent.

In the in-vehicle network system, the security of the in-vehicle networksystem can efficiently be improved.

Any combination of the exemplary embodiment and the modifications isalso useful as an exemplary embodiment of the present invention. A newexemplary embodiment generated by the combination has an effect of eachof the combined exemplary embodiment and modifications. Those skilled inthe art understand that the function that should be fulfilled by each ofcomponents described in the claims is implemented by the single orcooperation of each of components indicated in the exemplary embodimentand modifications.

INDUSTRIAL APPLICABILITY

The present invention can be used to update the regulation detecting thefraud not only in a network of a moving body such as a vehicle but alsobetween units connected by a general-purpose network.

REFERENCE MARKS IN THE DRAWINGS

10: vehicle

12: in-vehicle network system

14, 14 a, 14 b: ECU (electronic control unit)

16: sensor

18: actuator

20: security ECU (fraud detection electronic control unit)

30: reception buffer

32: rule-retaining unit ((second) storage)

34: frame transmission and reception unit ((second) transmission andreception unit)

36: frame interpreter

38: data transmission and reception unit

40: frame generator

50: fraud determination rule (regulation)

52: individual determination rule

54: external reference determination rule

60: reception buffer

62: rule-retaining unit ((first) storage)

64: reference data retaining unit

66: frame transmission and reception unit ((first) transmission andreception unit)

68: frame interpreter

70: fraud determination unit (determination unit)

72: frame generator

1. A fraud detection electronic control unit connected to an electroniccontrol unit through an in-vehicle network system, the fraud detectionelectronic control unit comprising: a storage that stores a firstregulation for determining whether a frame transmitted from theelectronic control unit is fraudulent; and a determination unit thatdetermines whether the frame transmitted from the electronic controlunit is fraudulent in accordance with the first regulation, wherein whena predetermined condition is satisfied, the storage acquires a secondregulation retained by the electronic control unit and updates thestored first regulation to the second regulation.
 2. The fraud detectionelectronic control unit according to claim 1, wherein the storageacquires a value of a second version of the second regulation retainedby the electronic control unit, and updates the stored first regulationaccording to a comparison result between the value of the second versionacquired and a value of a first version of the first regulationpreviously stored in the storage.
 3. The fraud detection electroniccontrol unit according to claim 2, wherein a value of the first versionof the first regulation includes a value of a first major version and avalue of a first minor version, a value of the second version of thesecond regulation includes a value of a second major version and a valueof a second minor version, and the storage updates the stored firstregulation (1) when a value of the second minor version of the value ofthe acquired second version is newer than a value of the first minorversion of the value of the previously stored first version in a casewhere a value of the second major version of the value of the acquiredsecond version is matched with a value of the first major version of thevalue of the previously stored first version, and updates a the storedfirst regulation (2) even when a the value of the second major versionof the value of the acquired second version is older than a the value ofthe first major version of the value of the previously stored firstversion in a case where the value of the second major version of thevalue of the acquired second version is not matched with the value ofthe first major version of the value of the previously stored firstversion.
 4. An electronic control unit connected to a fraud detectionelectronic control unit through an in-vehicle network system, theelectronic control unit comprising: a storage that stores a regulationfor determining whether a frame transmitted onto the in-vehicle networksystem is fraudulent, the frame having an frame ID (identification)identical to an frame ID of a frame transmitted from the electroniccontrol unit; and a transmission and reception unit that receives arequest transmission of the regulation from the fraud detectionelectronic control unit, and transmits the regulation stored in thestorage to the fraud detection electronic control unit in response tothe transmission request of the regulation, the regulation being used inorder that the fraud detection electronic control unit determineswhether the frame having the frame ID identical to the frame ID of theframe transmitted from the electronic control unit is fraudulent.
 5. Thefraud detection electronic control unit according to claim 1, whereinthe second regulation retained by the electronic control unit fordetermining whether a frame transmitted onto the in-vehicle networksystem is fraudulent, the frame having an frame ID (identification)identical to an frame ID of a frame transmitted from the electroniccontrol unit.
 6. A non-transitory recording medium in which a computerprogram is described, the computer program causing a fraud detectionelectronic control unit connected to an electronic control unit throughan in-vehicle network system and storing, in a storage, a firstregulation for determining whether a frame transmitted from theelectronic control unit is fraudulent to determine whether the frametransmitted from the electronic control unit is fraudulent in accordancewith the first regulation, and to acquire a second regulation retainedby the electronic control unit and updates the first regulation storedin the storage when a predetermined condition is satisfied.